Security Through Boredom

Menu

Post navigation

Ubuntu 13.10 And mprotect() Restrictions

For a while I’ve had to keep the Restrict mprotect() option in PaX disabled because it wasn’t compatible with certain programs. It was kind of a huge pain to deal with for that reason. But I’ve finally taken the 30 seconds to just deal with it and I’ll post how.

The program that has the biggest issue with the restrictions is Unity, the program that handles your user interface on Ubuntu. So, we need to kill Unity so that we can use the paxctl program to disable mprotect restrictions.

Keep in mind that you need to enable CONFIG_PAX_PT_PAX_FLAGS in your kernel config for this.

1) Download paxctl

A simple ‘apt-get install paxctl’ is enough here.

2) Kill Unity and Xorg

This is the annoying part. Xorg just restarts every time it’s killed. So you have to run the following command:

service lightdm stop

And then hit ctrl + alt + F4.

You should now have a terminal.

3) Apply flags

Run:
paxctl -c /usr/bin/unity
paxctl -m /usr/bin/unity

Now you can reboot and your UI should work. You’ll have to do this for a few programs (like Chrome) as well.
From the Grsecurity wiki on mprotect() restrictions:

Enabling this option will prevent programs from
– changing the executable status of memory pages that were
not originally created as executable,
– making read-only executable pages writable again,
– creating executable pages from anonymous memory,
– making read-only-after-relocations (RELRO) data pages writable again.

You should say Y here to complete the protection provided by
the enforcement of non-executable pages.

Post navigation

12 thoughts on “Ubuntu 13.10 And mprotect() Restrictions”

I don’t know about Unity, but Xorg was actually working fine with mprotect() restriction for a while (circa Slackware 13.37), including hardware acceleration. I rather hope this is a problem with Ubuntu’s repo version, as opposed to an upstream issue.

I’ve been reading the PaX Quickstart wiki info from the Hardened Gentoo folks. They say: “While PT_PAX is still supported, the preferred approach is to use XATTR_PAX which places the PaX flags in a file system’s extended attributes.”http://wiki.gentoo.org/wiki/Hardened/PaX_Quickstart

And they suggest using paxctl-ng to adjust XATTR_PAX settings.

However, I don’t know how to find/install paxctl-ng. Paxctl is readily available on the PaX Team homepage and is in Ubuntu repositories. No idea where paxctl-ng is available. Is it only for Gentoo?

What do you think about working with XATTR_PAX as opposed to PT_PAX? Do you disagree that XATTR_PAX should be the preferred flag to work with?

Do you still mprotect() restrictions? I have been trying and the white list for applications that break is growing to an extend where I do not find it funny any more. Without mprotect() everything is fine in userspace as long as you do not try to load any proprietary kernel modules, that means without mprotect() restrictions you can still have your old level of usability.
mprotect() restrictions almost break everything, you wont even get to the login screen at the first time after you installed the kernel.
mprotect() restrictions seem for absolute freaks that do not bother to keep a list of what breaks, but it definitely hurts you when you try to get things done on your desktop (apps get killed spontaneously by pax because of that restrictions).
This is my experience. I am no security expert, only a reasonably concerned user, but is disabling the mprotect() restriction so much worse for security?

I have written a script that helps inexperienced Ubuntu users to compile and install a grsec kernel (all fully automatic after the first questions) and keep it up to date (simply run the script again, it will detect updates and recompile the kernel) and for the above reasons I explicitly ask if they want the mprotect() restrictions. (I recommend to choose n).
You can find the initial version of the script here: http://pastebin.com/JGkdK0Xu

Do you use apparmor to restrict applications or rbac? According to your blog apparmor, but not sure if that is up to date. Cool that it works on eos, however stock eos is not much I have to admit. Do you use bigger applications like blender, kdenlive etc.?
What about compilers?

BTW: Xorg worked on Ubuntu 14.04 (I had to whitelist compiz). Unity worked too and did not need to be whitelisted separately, but that already outlines the issue: It does not remain constant.
Chrome or Chromium?